b'   January 22, 2003\n\n\n\n\nInformation Technology\n\n\nDevelopment Testing of Prophet\nMission-Critical Software\n(D-2003-051)\n\n\n\n\n              Department of Defense\n          Office of the Inspector General\nQuality               Integrity       Accountability\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Inspector\n  General of the Department of Defense at www.dodig.osd.mil/audit/reports or\n  contact the Secondary Reports Distribution Unit of the Audit Followup and\n  Technical Support Directorate at (703) 604-8937 (DSN 664-8937) or fax (703)\n  604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or fax (703)\n  604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                    Inspector General of the Department of Defense\n                          400 Army Navy Drive (Room 801)\n                              Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling (800)\n  424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or by\n  writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900. The\n  identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nDITSCAP               Department of Defense Information Technology Security\n                         Certification and Accreditation Process\nEMD                   Engineering and Manufacturing Development\nMMI                   Man Machine Interface\nPEO IEWS              Program Executive Office for Intelligence, Electronic Warfare\n                         and Sensors\nPSIU                  Processor System Interface Unit\n\x0c\x0c         Office of the Inspector General of the Department of Defense\nReport No. D-2003-051                                                   January 22, 2003\n   (Project No. D2001PT-0104)\n\n\n\n                         Development Testing of Prophet\n                            Mission-Critical Software\n\n                                Executive Summary\n\nWho Should Read This Report and Why? This report concerns developmental\ntesting of DoD acquisition programs, which should be of particular interest to program\nmanagers and acquisition professionals.\n\nBackground. This report is a review of the development testing of mission-critical\nsoftware for the U.S. Army Prophet Engineering and Manufacturing Development\n(EMD) System and the Prophet Block I System. Prophet is a Division-Level ground\nbased electronic surveillance system, which provides protection in a direct support role\nto the maneuver brigade; either stationary, or while on the move. The system monitors\nand exploits signals of interest and determines the area of signal origin by providing\ndirection finding and line-of-bearing in the frequency range of 20 Megahertz to 2000\nMegahertz. Prophet is operated in either the dismounted or mounted mode. In the\ndismounted mode Prophet is man-packed with a portable antenna. In the mounted\nmode Prophet is installed in an equipment enclosure carried on a High Mobility\nMulti-Purpose Wheeled Vehicle with the antennas attached to a retractable mast.\n\nProphet EMD was developed to validate the operational performance of the system\nprior to a decision for full rate production and deployment. Prophet EMD\ndevelopmental testing was completed in September 2000 and in general met the test\ncriteria. Prophet Block I is the full rate production system and has identical electronics\nto Prophet EMD but also includes the Man Machine Interface. Prophet Block I First\nArticle Performance testing was from February 2002 to May 2002 and as a result some\nerrors were found and are being corrected. After First Article Performance Testing,\nthree Prophet Block I systems are to be refurbished and sent to Titan System\nCorporation, Melbourne, Florida, for final sell off and acceptance. The first\nproduction contract was awarded to Titan Systems Corporation in June 2001. The\ncontract obligates $7.7 million for non-recurring engineering work and six pre-\nproduction systems. Additionally, the program office plans to procure an additional\n83 systems at a recurring cost of approximately $300,000 per system.\n\nResults. The development testing of mission-critical software for Prophet EMD and\nProphet Block I was generally adequate except for the following issues.\n\x0cProphet Block I with the Man Machine Interface will be fielded without ensuring that\nthe system meets operational needs and that it retains its effectiveness and suitability for\nthe typical user in an operational environment. An operational test assessment of the\nsystem was required before fielding. For details of the recommendation see finding A\nof this report.\n\nThe system security certification of the Prophet EMD was incorrectly designated at\nlevel 1 instead of the higher level 2. Independent security certification analysis, testing,\nand evaluation were not planned. Prophet will be fielded without knowing the extent to\nwhich the systems meet information assurance requirements. For details of the\nrecommendation see finding B of this report.\n\nManagement Comments and Evaluation Response. The Army Program Executive\nOfficer for Intelligence, Electronic Warfare and Sensors (PEO IEWS) agreed that an\noperational test assessment was required for Prophet Block I with Man Machine\nInterface (MMI) and that it was scheduled for October 2002 but disagreed that it was\nnot planned. The PEO IEWS also agreed that both Prophet Engineering Manufacturing\nand Development (EMD) and Prophet Block I should be designated at certification\nLevel 2, and disagreed that Prophet Block I certification level had not been designated.\n\nAlthough Army PEO IEWS only partially concurred with the recommendations the\ncomments were responsive. We request that PEO IEWS provide the test report\ndocumenting the results of the operational test assessment and a copy of an updated\nSystem Security Authorization Agreement for Prophet Block I documenting the\ncertification level of Prophet Block I and Prophet EMD as well as the security\ncertification analysis and tests performed. We request that the documents be provided\nby March 21, 2003.\n\n\n\n\n                                             ii\n\x0cTable of Contents\n\nExecutive Summary                                                  i\n\nBackground                                                        1\n\nObjectives                                                        3\n\nFindings\n     A. Operational Test Assessment of Prophet Block I with the\n           Man Machine Interface                                   4\n     B. Certification Level 2 for Prophet Systems                  8\n\n\nAppendixes\n     A. Scope and Methodology                                     14\n          Management Control Program Review                       14\n          Prior Coverage                                          16\n     B. Definitions of Technical Terms                            17\n     C. Report Distribution                                       18\n\nManagement Comments\n     Army Program Executive Office for Intelligence, Electronic\n       Warfare and Sensors Comments                               21\n\x0cBackground\n    Army Regulation 73-1, \xe2\x80\x9cTest and Evaluation Policy,\xe2\x80\x9d February 27, 1995, and DoD\n    Regulation 5000.2-R, \xe2\x80\x9cMandatory Procedures for Major Defense Acquisition\n    Programs (MDAPS) and Major Automated Information System (MAIS) Acquisition\n    Programs,\xe2\x80\x9d April 5, 2002, govern the Prophet program development testing policy.\n    Army Regulation 73-1 describes development testing such as engineering-type tests\n    used to verify that design risks are minimized, substantiate technical performance,\n    and certify system readiness for operational test and evaluation. DoD 5000.2-R,\n    states that development test and evaluation shall: 1) Identify the technological\n    capabilities and limitations; 2) Identify and describe design technical risks; 3) Stress\n    the system under test; 4) Address the potential of satisfying Operational Test\n    and Evaluation requirements; 5) Analyze the capabilities and limitations of\n    alternatives; 6) Assess progress toward meeting Key Performance Parameters and\n    other Operational Requirements Document requirements; 7) Assess technical\n    progress and maturity against critical technical parameters; 8) Provide data and\n    analytic support to the decision process; 9) In the case of Information Technology\n    systems, support the information systems security certification process; and, 10)\n    Prior to full rate production, demonstrate the maturity of the production process.\n\n    Prophet is a Division-Level ground based electronic surveillance system, which\n    provides protection in a direct support role to the maneuver brigade; either\n    stationary, or while on the move. The system monitors and exploits signals of\n    interest and determines the area of signal origin by providing direction finding and\n    line-of-bearing. Prophet is designed to detect line-of-sight radio signals in the\n    frequency range of 20 Megahertz to 2000 Megahertz, which is in the High\n    Frequency, Very High Frequency and Ultra High Frequency bands. Prophet is\n    operated in either the dismounted or mounted mode. In the dismounted mode\n    Prophet is man-packed with a portable antenna. In the mounted mode Prophet is\n    installed in an equipment enclosure carried on a High Mobility Multi-Purpose\n    Wheeled Vehicle with the antennas attached to a retractable mast.\n\n    The program office has performed testing on two systems, Prophet Engineering and\n    Manufacturing Development (EMD) and Prophet Block I. Prophet EMD and\n    Prophet Block I have identical electronics with the exception that Prophet EMD does\n    not include a subsystem called the Man Machine Interface (MMI). Prophet EMD\n    was developed and tested to validate system performance. The results from those\n    tests were used in the decision to proceed with full rate production and deployment\n    of Prophet Block I. During the evaluation we selected three subsystems in Prophet\n    Block I that contain mission-critical software. They are the MD-405A\n    Receiver/Processor, the Processor System Interface Unit (PSIU), and the MMI.\n\n    During direction finding operation the MD-405A Receiver/Processor records and\n    reports a line-of-bearing for each received signal or frequency at the end of the\n    selected integration period. The MD-405A Receiver/Processor is operated either by\n    the front panel or through a remote host connected to the serial interface port. The\n    unit has the capability to scan up to 400 normal channels and 20 priority channels.\n    With the Prophet antennas, the unit is capable of performing direction finding on\n\n\n                                            1\n\x0cline-of-sight radio frequency emitters in the range of 20 Megahertz to 2000\nMegahertz. The MD-405A Receiver/Processor is already in use as part of the\nSpecial-Operations Command AN/PRD-13(V)2, a man-packed radio frequency\ndirection finding system. All software in the MD-405A Receiver/Processor is\ncontrolled by Titan Signal Products Division\xe2\x80\x99s configuration management process.\nThe MD-405A Receiver/Processor has approximately 73,000 lines of Assembly\nsource code of which 450 additional lines were added for the Prophet mission.\n\nPSIU is a message exchanger and process monitor. The PSIU receives, transmits\nand monitors serial data streams between subsystems. The PSIU has approximately\n13,000 lines of Assembly source code of which 9,500 lines were reused from\nsoftware in the MD-405A Receiver/Processor.\n\nMMI is a laptop computer remotely interfaced to the MD-405A Receiver/Processor\nthrough the PSIU. The MMI provides a central control center for system and\nreceiver, a signal map display, a signal parameter list display, and tools to store, sort\nand create signal parameter and voice traffic files. MMI application code is a\ncombination of commercial software, and custom developed software written in\nC++. The MMI has over 200,000 lines of C++ source code of which 110,000\nlines were reused, 40,000 lines were modified and 50,000 lines were developed.\n\nSoftware development testing for Prophet EMD was done at the unit and system\nlevel. Unit level testing focused on the correct execution of software as determined\nby correct data flow and hardware control operations. System level testing was done\nto measure the technical performance of Prophet EMD in the mounted and\ndismounted modes. In general, software development testing of Prophet EMD at\nboth the unit level and system level met the test criteria. During development\ntesting, two software errors were found. One error resulted in a change of software\nin the PSIU and the other error required software changes in the Tactical Navigation\nSystem. Both errors were corrected and retested.\n\nSince Prophet EMD and Prophet Block I are almost identical, additional\ndevelopment testing on the full rate production system was not performed. To\nvalidate whether Prophet Block I meets the contractual performance requirements a\nFirst Article Performance test is being conducted. First Article Performance testing\nincludes unit and system level testing. Unit level testing consists of tracing the\nexecution of the MMI controller, application program interface and driver level\nsoftware; reviewing the data messages being passed between the MMI, the\nMD-405A Receiver/Processor and the PSIU; and validating the operations of the\nMD-405A Receiver/Processor and MMI. After completion of unit level testing,\nProphet Block I will undergo system level technical and environmental verification\ntests. According to the program office, Prophet Block I First Article Performance\ntesting was completed in May 2002 and as a result some errors were found and are\nbeing corrected.\n\nThe first production contract was awarded to Titan Systems Corporation in\nJune 2001. The contract obligates $7.7 million for non-recurring engineering work\nand six pre-production systems. Additionally, the program office plans to procure\nan additional 83 systems at a recurring cost of approximately $300,000 per system.\n\n\n                                        2\n\x0cObjectives\n     Our objective was to evaluate development testing of mission-critical software for\n     Prophet EMD and Prophet Block I. Specifically, we evaluated the completeness\n     and adequacy of the development testing of mission-critical software in the\n     MD-405A Receiver/Processor, the PSIU, and the MMI in the areas of planning,\n     execution, and reporting. We also evaluated the adequacy of responses to test\n     results of Prophet EMD and Prophet Block I, as well as how testing deficiencies\n     affected the program.\n\n\n\n\n                                          3\n\x0c            A. Operational Test Assessment of\n               Prophet Block I with the Man\n               Machine Interface\n            Prophet Block I with the MMI will not have an operational test\n            assessment or a follow-on operational test performed prior to fielding.\n            Initial operational testing of Prophet EMD did not include the MMI.\n            The program office has not planned any additional operational tests prior\n            to fielding because key criteria were met. As a result, Prophet Block I\n            with MMI will be fielded without ensuring that the system meets\n            operational needs and that it retains its effectiveness and suitability for\n            the typical user in an operational environment.\n\nRequirements for Operational Test Assessment\n     Prophet acquisition management and strategy are governed by Army acquisition\n     policy contained in Army Regulation 70-1, \xe2\x80\x9cArmy Acquisition Policy,\xe2\x80\x9d\n     December 15, 1997. Army Regulation 70-1 follows the guidance and\n     procedures contained in DoD Directive 5000.1, \xe2\x80\x9cThe Defense Acquisition\n     System,\xe2\x80\x9d October 23, 2000, and DoD Regulation 5000.2-R, \xe2\x80\x9cMandatory\n     Procedures for Major Defense Acquisition Programs (MDAPS) and Major\n     Automated Information System (MAIS) Acquisition Programs,\xe2\x80\x9d April 5, 2002.\n     DoD 5000.2-R requires an operational test assessment when there are\n     \xe2\x80\x9chardware and software alterations that materially change system performance\n     (operational effectiveness and suitability), which includes system upgrades and\n     changes to correct deficiencies identified during test and evaluation.\xe2\x80\x9d\n\n     Prophet test and evaluation is also governed by the requirements in Army\n     Regulation 73-1, \xe2\x80\x9cTest and Evaluation Policy,\xe2\x80\x9d February 27, 1995. Army\n     Regulation 73-1 requires follow-on operational tests to \xe2\x80\x9crefine the estimates\n     made during initial operational testing, provide data to evaluate changes, verify\n     that deficiencies in materiel, training, or concepts have been corrected, and\n     provide data to ensure that the system continues to meet operational needs and\n     that it retains its effectiveness in a new environment or against a new threat.\xe2\x80\x9d\n\nInitial Operational Testing of Prophet Engineering and\n  Manufacturing Development without Man Machine\n  Interface\n     An operational test requires testing in realistic operational environments with\n     users who represent those expected to operate and maintain the system when it\n     is fielded or deployed. Initial operational testing was done with Prophet EMD\n     in two phases. The first phase was used to measure system effectiveness,\n     suitability and limited survivability when employed by a unit in an operational\n     matching environment. Phase 1 testing also included an assessment used to\n     validate the mechanics of the overall information processing architecture in the\n\n\n                                         4\n\x0c     areas of tasking, reporting and collection management. Phase 2 was a field test\n     exercise in conjunction with a planned brigade-level exercise. The objective of\n     Phase 2 was to collect data on operational effectiveness and suitability. Data\n     collected from those tests determined the system operational effectiveness,\n     suitability, and survivability and were used as input to a Milestone III full rate\n     production and fielding decision. But those tests were only performed on\n     Prophet EMD and did not include the MMI.\n\nProphet Block I First Article Performance Testing with the\n  Man Machine Interface\n     Prophet Block I First Article Performance testing with the MMI is being\n     performed at the contractor facility and at selected subcontracted laboratories\n     and test ranges with the participation of a government or quality assurance\n     witness. According to the program office, First Article Performance testing was\n     completed in May 2002 and as a result some errors were found and are being\n     corrected. During those tests, Prophet Block I had system performance and\n     environmental verification tests using manual and automated methods. System\n     performance testing includes demonstrating MMI mapping, display and control\n     functions, signal monitoring, signal detection and direction finding accuracy.\n     Environmental verification testing includes demonstrating reliability,\n     maintainability and survivability. Manual testing was done using standard test\n     equipment. Automated testing was conducted for the direction finding tests.\n     After First Article Performance testing, three systems are to be refurbished and\n     sent to Titan System Corporation, Melbourne, Florida, for final sell off and\n     acceptance. First Article Performance testing of Prophet Block I with the MMI\n     did not include an operational test with the typical user in an operational\n     environment.\n\nOperational Testing of the Man Machine Interface\n     Prophet Block I and Prophet EMD system electronics are the same with the\n     exception that Prophet Block I also includes MMI. The MMI provides primary\n     control and display of system and receiver. Additionally, MMI provides the\n     operator with a map and list display as well as tools to analyze, sort, and record\n     data. If the MMI is unavailable, the system can be operated using manual\n     controls. Because Prophet EMD initial operational tests met the key\n     performance parameter criteria, the program office decided not to perform any\n     additional operational test assessments or follow-on operational tests prior to\n     fielding of Prophet Block I.\n\n     The MMI is a laptop computer running the Microsoft Windows NT 4.0\n     operating system and contains over 200,000 lines of source code developed for\n     electronic surveillance control. The electronic surveillance control software\n     consists of three modules that are used for control interface, application program\n     interface, and receiver driver interface. The MMI also contains a set of\n     commercial-off-the-shelf software modules used for mapping, data tabling,\n     digital reporting, databasing, and support. In comparison with the other\n\n\n                                          5\n\x0c       subsystems in Prophet Block I, MMI has the largest collection of commercial-\n       off-the-shelf and custom developed software. When MMI was added to\n       Prophet, the PSIU software was modified to distribute data to and from MMI\n       and other subsystems.\n\n       Prophet Block I with MMI does improve system operational performance and\n       effectiveness. MMI allows easier control of the MD-405A Receiver/Processor\n       and system, has better displays and analysis tools for examining signals of\n       interest, and has the capability to store, sort, and transfer signal data. In fact\n       the Prophet system manager recognizes the operational benefits of having MMI\n       because planned product improvements include the requirement for Prophet\n       Block III to have MMI for intelligence digital reporting and databasing. Even\n       though Prophet can perform its mission without MMI, the addition of MMI\n       improves system performance and effectiveness. If an operational test\n       assessment or a follow-on operational test is not performed with MMI, possible\n       operational deficiencies or unsuitable features may not be detected and\n       corrected.\n\nSummary\nThe Product Manager, Prophet has not planned for Prophet Block I with MMI to have\nan operational test assessment or a follow-on operational test performed prior to\nfielding. Even though Prophet can perform its mission without MMI, an operational\ntest assessment should be performed because with MMI, the system performance and\neffectiveness are changed. Specifically, MMI allows easier control of the MD-405A\nReceiver/Processor and system; has better displays and analysis tools for examining\nsignals of interest; and has the capability to store, sort, and transfer signal parameters.\nAs a result, without an operational test assessment or follow-on operational test of\nProphet Block I, no operational data will validate the performance, effectiveness, and\nsuitability of MMI for the typical user in an operational environment.\n\nRecommendations, Management Comments and Evaluation\n Response\n       A. We recommend that the Product Manager, Prophet plans and performs\n       an operational test assessment of Prophet Block I by updating the Test and\n       Evaluation Master Plan and executing the test prior to fielding.\n\n       Management Comments. The Army Program Executive Officer for\n       Intelligence, Electronic Warfare and Sensors (PEO IEWS) agreed that an\n       operational test assessment of Prophet Block I with MMI was required prior to\n       fielding. PEO IEWS disagreed that an operational test assessment of Prophet\n       Block I with MMI was not planned prior to fielding. PEO IEWS stated that\n       based on testing to date, the Army Test and Evaluation Command recommended\n       a conditional material release for fielding of Prophet Block I with MMI, and\n       further testing was planned prior to its initial fielding. Specifically, PEO IEWS\n       stated that an operational test assessment of Prophet Block I with MMI was\n       scheduled for October 2002.\n\n\n                                             6\n\x0cEvaluation Response. Although PEO IEWS only partially concurred the\ncomments were responsive. We agree with the PEO IEWS statement that an\noperational test assessment of Prophet Block I with MMI was required.\nHowever, we disagree with the PEO IEWS comment that an operational test\nassessment of Prophet Block I with MMI was planned. We concluded this\nbecause an operational test assessment of Prophet Block I with MMI was not\ndocumented in the Prophet Ground Block I Test and Evaluation Master Plan\nRevision 5.0 or the Titan Prophet Production Block 1 First Article Performance\nTest Plan. We were also told during the evaluation that for acceptance and first\narticle tests prior to fielding, the Army Test and Evaluation Command only\nplanned to participate as a reviewer and commenter. We request that PEO\nIEWS provide the test report documenting the results of the Prophet Block I\nwith MMI operational testing.\n\n\n\n\n                                    7\n\x0c           B. Certification Level 2 for Prophet\n              Systems\n           The certification of the Prophet EMD system was incorrectly designated\n           as Level 1 instead of Level 2 because the alternatives chosen for mission-\n           reliance and integrity did not match the system characteristics. In\n           addition the Prophet Block I production system certification level is not\n           yet determined. As a result, independent security certification analysis,\n           testing, and evaluation normally conducted for Level 2 systems are not\n           planned. Prophet will be fielded without knowing the extent to which it\n           will meet information assurance requirements.\n\nInformation Assurance for Prophet Systems\n    Information Assurance. Information assurance is information operations that\n    protect and defend information and information systems by ensuring their\n    availability, integrity, authentication, confidentiality, and non-repudiation. It\n    includes providing for the restoration of information systems by incorporating\n    protection, detection, and reaction capabilities. An information system can be\n    any computer related equipment or interconnected system or subsystems of\n    equipment that is used in the acquisition, storage, manipulation, management,\n    movement, control, display or reception of voice and or data and includes\n    software, firmware, and hardware. The information systems contained in the\n    Prophet systems are the MD-405A Receiver/Processor, the PSIU, the MMI, and\n    the Tactical Navigation System. In order to ensure that the Prophet information\n    systems function properly, security features that support information assurance\n    must be implemented and tested.\n\n    Prophet System Requirements for Availability, Integrity, Authentication,\n    Confidentiality, and Non-Repudiation. Availability is the timely and reliable\n    access to data and information services for authorized users. All Prophet\n    information systems must be timely and reliable. If the MD-405A\n    Receiver/Processor and the PSIU are untimely or unavailable the Prophet\n    systems will not be able to meet their technical performance requirements.\n    Also, if either the MMI, or the Tactical Navigation System is untimely or\n    unavailable, the Prophet Block I performance and effectiveness will be\n    degraded.\n\n    Integrity is the condition existing when data is unchanged from its source and\n    has not been accidentally or maliciously modified, altered, or destroyed.\n    Without data integrity the Prophet systems would not be able to accurately\n    report the direction, level, and frequency of signals being measured. Therefore,\n    all Prophet information systems must ensure that the integrity of data used or\n    provided is unchanged.\n\n    Authentication is a security measure designed to establish the validity of a\n    transmission, message, user, or system or a means of verifying an individual\xe2\x80\x99s\n\n\n\n                                        8\n\x0c     authorization to receive specific categories of information. Prophet Block I with\n     MMI must have authentication measures established to prevent typical users\n     from inadvertently altering data.\n\n     Confidentiality is an assurance that information is not disclosed to unauthorized\n     persons, processes, or devices. Non-repudiation is the assurance that the sender\n     of data is provided with proof of delivery and the recipient is provided with\n     proof of origin, so neither can later deny having processed the data. Since the\n     Prophet systems are stand-alone, confidentiality and non-repudiation are not\n     applicable.\n\nRequirements for System Certification Level\n     DoD 5000.2-R, \xe2\x80\x9cMandatory Procedures For Major Defense Acquisition\n     Programs (MDAPS) and Major Automated Information Systems (MAIS)\n     Acquisition Programs,\xe2\x80\x9d April 5, 2002. DoD 5000.2-R Chapter 3.4.1 states\n     that development test and evaluation shall, in the case of IT systems, support the\n     information systems security certification process, and DoD 5000.2-R Chapter 3\n     Section 6.1.3 states that information assurance testing shall be conducted on\n     information systems to ensure that planned and implemented security measures\n     satisfy Operational Requirements Document and System Security Authorization\n     Agreement requirements when the system is installed and operated in its\n     intended environment.\n\n     DoD 5200.40, \xe2\x80\x9cDepartment of Defense Information Technology Security\n     Certification and Accreditation Process Instruction (DITSCAP),\xe2\x80\x9d December\n     30, 1997. DITSCAP defines a process that standardizes the activities leading to\n     system security accreditation, and applies to the acquisition, operation and\n     sustainment of any DoD system that collects, stores, transmits, or processes\n     unclassified or classified information. Both Prophet EMD and Prophet Block I\n     are required to use DITSCAP since both contain information technology systems\n     that collect store, transmit, and process data. The DITSCAP process consists of\n     four phases: Phase 1, Definition; Phase 2, Verification; Phase 3, Validation;\n     and Phase 4, Post Accreditation. Information collected during Phase 1 is used\n     to determine the certification level. The certification level establishes the\n     activities that are performed on a system for security certification and\n     accreditation.\n\n     DoD 8510.1-M, \xe2\x80\x9cDepartment of Defense Information Technology Security\n     Certification and Accreditation Process (DITSCAP) Application Manual,\xe2\x80\x9d\n     July 31, 2000. The Application Manual supports DITSCAP by presenting a\n     detailed approach to the activities comprising the certification and accreditation\n     process. Chapter 3, Phase 1 definition provides a task description on how to\n     determine the appropriate certification level of a system. Using that process a\n     certifier determines the degree of confidentiality, integrity, availability, and\n     accountability required for a system by selecting weighted alternatives\n     associated with each system characteristic. The weights selected are then totaled\n     in order to determine the appropriate certification level of the system.\n\n\n\n                                         9\n\x0c     Certification Level 2 Security Test and Evaluation. Depending on the total\n     score derived from Phase 1, the possible certification levels for a system are\n     Level 1, which requires completion of the minimal security checklist that either\n     a system user or an independent certifier may complete; Level 2, which requires\n     the completion of the security checklist and an independent certification\n     analysis; Level 3, which requires the completion of the security checklist and a\n     more in-depth independent analysis; and Level 4, which requires the completion\n     of the security checklist and the most extensive independent analysis. If a\n     system is certified at Level 2, a system security test and evaluation is required\n     during Phase 3 validation. The purpose of the security test and evaluation is to\n     validate the proper integration and operation of all security features.\n\nAssessment of Prophet Systems Security Certification Level\n     Prophet Systems Characteristic Alternatives. During the system security\n     definition phase, the program office performed a certification level assessment\n     of Prophet EMD. Using the DITSCAP Application Manual the program office\n     selected system characteristic alternatives for interface, processing, attribute,\n     mission-reliance, availability, integrity, and information categories. The\n     mission-reliance alternative chosen was \xe2\x80\x9cpartial\xe2\x80\x9d and the integrity alternative\n     chosen was \xe2\x80\x9cnot applicable.\xe2\x80\x9d After the alternatives were selected their\n     corresponding weights were added and compared to the application manual\n     certification level table. The program office total of 12 designated Prophet\n     EMD at certification Level 1. The program office did not assess Prophet\n     Block I.\n\n     During our evaluation we reviewed the characteristic alternatives selected and\n     determined that the Prophet EMD and Prophet Block I alternative for mission-\n     reliance is \xe2\x80\x9ctotal\xe2\x80\x9d instead of \xe2\x80\x9cpartial\xe2\x80\x9d and the alternative for integrity is \xe2\x80\x9cexact\xe2\x80\x9d\n     instead of \xe2\x80\x9cnot applicable.\xe2\x80\x9d\n\n     Mission-Reliance. Mission-reliance relates the degree to which the success of\n     the mission relies on the operation, data, infrastructure, or system. The\n     program office determined that Prophet mission-reliance is \xe2\x80\x9cpartial\xe2\x80\x9d because it\n     concluded that the mission \xe2\x80\x9ccan be accomplished without Prophet Block I but\n     with greater risk to personnel equipment and mission accomplishment.\xe2\x80\x9d Our\n     assessment determined that Prophet mission-reliance is \xe2\x80\x9ctotal\xe2\x80\x9d because the\n     mission of the system is totally dependent upon the specific aspects of system,\n     operation, and data. In particular, Prophet is totally dependent on the operation\n     and data of the MD-405A Receiver/Processor system, Prophet mounted is\n     totally dependent on the operation and data of the PSIU system, and when MMI\n     is being used to control the system and receiver as well as map and store signals\n     Prophet Block I is totally dependent on the operation and data of MMI. With\n     the alternative being \xe2\x80\x9ctotal\xe2\x80\x9d instead of \xe2\x80\x9cpartial\xe2\x80\x9d the weight for the mission-\n     reliance characteristic is seven instead of three.\n\n     Integrity. Integrity relates the degree in which the integrity of operation, data,\n     infrastructure, or system is needed from unauthorized modification or\n     destruction of information. The program office determined that Prophet\n     integrity is \xe2\x80\x9cnot applicable\xe2\x80\x9d since there is \xe2\x80\x9cno Prophet operation that would risk\n\n                                           10\n\x0cthe security of the data of Prophet and that no malfunction of Prophet would\nresult in sending data out of the system that from a security standpoint, should\nbe sent out.\xe2\x80\x9d We determined that Prophet integrity is \xe2\x80\x9cexact\xe2\x80\x9d because the\nspecific integrity aspects of system, operation, and data must be exact in order\nfor the system to accurately report the direction, level, and frequency of signals\nbeing measured. In particular, the integrity of the operation and data of the\nMD-405A Receiver/Processor must be exact or else Prophet would not be able\nto perform its mission. Also the integrity of the system, operation, and data as\nit applies to PSIU must be exact or else Prophet mounted would not be able to\nperform its mission, and the integrity of the system, operation, and data as it\napplies to MMI must be exact or else Prophet Block I performance will be\ndegraded. With the alternative being \xe2\x80\x9cexact\xe2\x80\x9d instead of \xe2\x80\x9cnot applicable,\xe2\x80\x9d the\nweight for the integrity characteristic is six instead of zero.\nThe following table depicts the evaluation that was done and the difference in\nscore with the adjusted values in mission-reliance and integrity.\n\n    System Characteristic Comparison Table for Prophet Systems\n      System            SSAA        Adjusted       SSAA      Adjusted\n    Characteristic   Alternative    Alternative    Weight    Weight\n   Interface Mode           Passive          Passive         2           2\n\n  Processing Mode         Dedicated         Dedicated        1           1\n\n   Attribute Mode            None             None           0           0\n\n Mission-Reliance*          Partial           Total          3           7\n\n     Availability           ASAP             ASAP            4           4\n\n      Integrity*        Not-Applicable       Exact           0           6\n\n     Information           Sensitive        Sensitive        2           2\n      Categories\n                                             Total*         12          22\nDenotes a difference*\n\n\nCertification Level. The total score determines the certification level of the\nsystem. A score of less then 16 designates a system at certification Level 1. A\nscore between 12 and 32 designates a system at certification Level 2. Because\nthe total is 22 both Prophet EMD and Prophet Block I should be at certification\nLevel 2.\n\nBecause both Prophet EMD and Prophet Block I certification levels should be at\nLevel 2, the Prophet Program Office is required to complete a minimal security\nchecklist, perform an independent certification analysis and during Phase 3\n\n\n                                       11\n\x0c    validation, implement a security test and evaluation. By implementing those\n    procedures, system security features for availability, integrity, and\n    authentication would be verified and Prophet would operate at an acceptable\n    level of residual risk.\n\nSummary\n    Both Prophet EMD and Prophet Block I information systems require\n    information assurance security features to ensure system availability, integrity,\n    and authentication. The Prophet Program Office performed a system security\n    assessment of Prophet EMD and designated it at certification Level 1. The\n    program office has not performed an assessment of Prophet Block I.\n    Certification Level 1 system security assessment only requires a minimal\n    security checklist. During our assessment we determined that Prophet EMD and\n    Prophet Block I should be at certification Level 2. Our result was based on\n    Prophet EMD and Prophet Block I mission-reliance being \xe2\x80\x9ctotal\xe2\x80\x9d instead of\n    \xe2\x80\x9cpartial\xe2\x80\x9d and the degree of integrity being \xe2\x80\x9cexact\xe2\x80\x9d instead of \xe2\x80\x9cnot applicable.\xe2\x80\x9d\n    Because the Prophet systems certification is not Level 2, an independent security\n    certification analysis, testing, and evaluation is not planned. Prophet will be\n    fielded without knowing the extent to which the systems meet information\n    assurance requirements.\n\nRecommendations, Management Comments and Evaluation\n Response\n    B. We recommend that the Product Manager, Prophet designate Prophet\n    EMD and Prophet Block I at system security certification Level 2 and\n    implement an independent security certification analysis that includes a\n    security test and evaluation during Phase 3 validation as specified in\n    Department of Defense Information Technology Security Certification and\n    Accreditation Process (DITSCAP) Application Manual 8510.1-M, July 31,\n    2000.\n\n    Management Comments. The Army PEO IEWS partially concurred with the\n    finding. PEO IEWS agreed that both Prophet EMD and Prophet Block I should\n    be redesignated at certification Level 2. PEO IEWS also agreed that both\n    Prophet EMD and Prophet Block I are required to have information assurance\n    analysis and testing commensurate with Level 2 requirements. PEO IEWS\n    disagreed that the Prophet Block I certification level had not been determined.\n\n    Evaluation Response. Although Army PEIO IEWS only partially concurred,\n    the comments were responsive. We agree that both Prophet EMD and Prophet\n    Block I should be redesignated at certification Level 2. We also agree that the\n    appropriate information analysis and testing should be performed commensurate\n    with that level. We disagree with the PEO IEWS statement that Prophet Block I\n    was designated at certification Level 2 during the evaluation because it was not\n    documented in Phase 1 of the System Security Authorization Agreement for\n    Prophet Block I. We request that PEO IEWS provide the updated System\n    Security Authorization Agreement for Prophet Block I documenting the\n\n                                        12\n\x0ccertification level of Prophet Block I as well as the security certification analysis\nand tests performed.\n\n\n\n\n                                     13\n\x0cAppendix A. Scope and Methodology\n    To accomplish the evaluation objective, we examined program management of\n    Prophet Developmental Testing process of mission-critical software and its\n    related documentation.\n\n    We reviewed the organizational structure, software development process and\n    software development testing of Prophet EMD. We obtained and reviewed the\n    Prophet Test and Evaluation Master Plan, Developmental Test Plan, and Test\n    Reports. We selected three of the six subsystems in Prophet that contain\n    mission-critical software for our evaluation. We visited the Prophet Program\n    Office, the developmental and operational test sites, and the contractor software\n    developmental test facilities to verify and validate test process and test results.\n    Results of this evaluation provided insight into the completeness and adequacy\n    of the developmental software testing done for Prophet EMD and\n    Prophet Block I.\n\n    We performed this evaluation from October 2001 to May 2002 according to\n    standards implemented by the Inspector General of the Department of Defense.\n\n    We visited or contacted individuals and organizations within DoD, Titan System\n    Corporation, Santa Clara, California, and Tera Research Incorporated,\n    Sunnyvale, California.\n\n    Use of Computer-Processed data. We relied on computer-processed data from\n    the Command, Control, Communications, Computers and Intelligence Test\n    Division Final Report for the Production Verification Test of the Prophet\n    Block I, March 2000, of the Army Electronic Proving Ground to determine the\n    completeness and adequacy of the testing. We reviewed the computer hardware\n    and software configurations used. We observed the operations of the test\n    computer, which generated the test signals, as well as examined the test signal\n    data files. Although, we did not perform a formal reliability assessment of the\n    computer-processed data, nothing came to our attention as a result of the\n    procedures that caused us to doubt the reliability of the computer-processed\n    data.\n\n    General Accounting Office High Risk Area. The General Accounting Office\n    has identified several high-risk areas in the DoD. This evaluation report\n    provides coverage of the Defense Systems Modernization high-risk area.\n\nManagement Control Program Review\n    DoD Directive 5010.38, \xe2\x80\x9cManagement Control (MC) Program,\xe2\x80\x9d August 26,\n    1996, and DoD Instruction 5010.40, \xe2\x80\x9cManagement Control (MC) Program\n    Procedures,\xe2\x80\x9d August 28, 1996, require DoD organizations to implement a\n    comprehensive system of management controls that provides reasonable\n    assurance that programs are operating as intended and to evaluate the adequacy\n    of the controls.\n\n                                         14\n\x0cScope of Review of Management Controls. Management control was not an\nannounced objective of this evaluation. However, we reviewed the management\ncontrol program related to the overall evaluation objectives and determined that\nthe pertinent management controls concerning Developmental and Operational\nTesting of Mission-Critical Software for Prophet Block I system were\ninadequate (See the finding A).\n\nAdequacy of Management Control Program. We identified a material\nmanagement control weakness at Prophet Program Office as defined by DoD\nInstruction 5010.40. The Product Manager, Prophet has not planned for\nProphet Block I with MMI to have an operational test assessment or a follow-on\noperational test performed prior to fielding. Product Manager, Prophet should\nplan and perform an operational test assessment test because with MMI, the\nsystem performance and effectiveness are changed. If management implements\nall recommendations, the management control weakness will be corrected. A\ncopy of the report will be provided to the senior official responsible for\nmanagement controls within Program Management Office for Signal Warfare.\n\nAdequacy of Management\xe2\x80\x99s Self-Evaluation. Prophet Program Office did not\nidentify the need to perform the operational assessment test as an assessable unit\nand, therefore, did not identify or report the material management control\nweaknesses identified by the audit.\n\nManagement Comments on Management Control. The Army PEO IEWS\nnon-concurred with the IG DoD opinion that a management control weakness\nexisted because an operational test assessment was not planned for Prophet\nBlock I with MMI. PEO IEWS stated that an operational test assessment of\nProphet Block I with MMI has always been planned. PEO IEWS also stated\nthat management controls are in place at both the Program Management and\nProgram Executive Office levels, which include program reviews, planning, and\nan acquisition memorandum that requires follow-on-testing of any differences\nfrom the Prophet EMD to production configuration.\n\nEvaluation Response. DoD 5010.40 \xe2\x80\x9cManagement Control Program\nProcedures,\xe2\x80\x9d August 28, 1996 states, weaknesses in management control should\nbe reported if they are deemed to be material. A material weakness in\nmanagement control must satisfy two conditions: management controls are not\nin place, or are not used or are inadequate; and the weakness identified requires\nthe attention of the next higher level of management. During the evaluation a\nmaterial weakness in management control related to finding A was identified\nbecause it satisfied the two conditions. First of all, management controls in\nplace did not adequately plan for the operational test assessment. This was\ndetermined because the Prophet Ground Block I Test and Evaluation Master\nPlan Revision 5.0 and the Titan Prophet Production Block 1 First Article\nPerformance Test Plan did not document the planning of an operational test\nassessment and discussions with Army Test and Evaluation Command\nrepresentatives revealed that for the acceptance and first article tests prior to\nfielding of Prophet Block I, the Army Test and Evaluation Command only\nplanned to participate as a reviewer and commenter. Secondly, the attention of\n\n\n                                    15\n\x0c    the next higher level of management, PEO IEWS, was required. This was\n    determined because of the relative impact of the material weakness on the\n    testing, deployment, and use of Prophet Block I with MMI.\n\n\nPrior Coverage\n    No prior coverage has been conducted on the subject for the last 5 years.\n\n\n\n\n                                       16\n\x0cAppendix B. Definitions of Technical Terms\n   AN/PRD-13(V)2 - Special Operations Command radio frequency direction\n   finding system consisting of the MD-405A Triple Receiver/Processor, direction\n   finding and intercept antennas, cables and power accessories.\n\n   Assembly - A programming language that is once removed from a computer\xe2\x80\x99s\n   machine language.\n\n   C++ - A high-level programming language, developed by Bjarne Stroustrup at\n   Bell Labs. C++ adds object-oriented features to its predecessor, C.\n\n   Line-Of-Bearing \xe2\x80\x93 A line extending in the direction of a bearing.\n\n   Line-Of-Sight - A straight line between an observer and a target.\n\n   MD-405A - An integrated, programmable, intercept/direction finding processor\n   that supports highly automated signal intercept and direction finding functions\n   over the frequency range from 100 kHz to 2000 MHz.\n\n   Megahertz - A unit of frequency equal to one million cycles per second.\n\n   Prophet Engineering and Manufacturing Development (EMD) - Prophet\n   System without the MMI that was used for developmental and operational\n   testing.\n\n   Prophet Block I - Prophet Full Rate Production System that has identical\n   electronics to Prophet EMD with the addition of the MMI.\n\n   Root mean square - The square root of the mean value of the sum of the\n   squares.\n\n   System Level Testing - Tests used to assess if the system meets the overall\n   performance objectives of the software requirements and system specifications.\n\n   Unit Level Testing - The lowest level developer test of software. The purpose\n   of unit testing is to validate requirements expressed in the detailed design\n   descriptions and software requirements specifications. In addition, unit testing\n   is performed to ensure that all source statements in a unit have been executed,\n   each conditional branch has been taken, and that all boundary values (for\n   example, minimum-maximum values) and edit criteria are tested.\n\n\n\n\n                                      17\n\x0cAppendix C. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense (Comptroller)\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\nDeputy Under Secretary of Defense (Command, Control, Communications and\n   Intelligence)\nDirector, Operational Test and Evaluation\n\nDepartment of the Army\nAssistant Secretary of the Army (Financial Management and Comptroller)\nAssistant Secretary of the Army (Acquisitions, Logistics, and Technology)\n  Program Executive Officer for Intelligence, Electronic Warfare and Sensors\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\n\n\n\n                                          18\n\x0cCongressional Committees and Subcommittees, Chairman and\n Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\n\n\n\n\n                                         19\n\x0c\x0cArmy Program Executive+ Office for Intelligence,\nElectronic Warfare and Sensors Comments\n\n\n\n\n                                                   Note:\n                                                   Comments\n                                                   were received\n                                                   on October 1,\n                                                   2002\n\n\n\n\n                       21\n\x0c22\n\x0c23\n\x0c24\n\x0cTeam Members\nThe Technical Assessment Division Directorate, Office of the Assistant\nInspector General for Auditing of the Department of Defense prepared this\nreport. Personnel of the Office of the Inspector General of the Department of\nDefense who contributed to the report are listed below.\n\n\nDavid A. Brinkman\nKenneth H. Stavenjord\nPeter C. Johnson\nAnh H. Tran\nCindy L. Gladden\nAnn A. Ferrante\n\x0c'